In a Microsoft Windows environment I think the best way of doing this is adding a Microsoft TMG Proxy, which already includes filtering based on categories. It also has the benefit of caching most of the traffic reducing overall bandwidth consumtion.

Another approach would be whitelisting all the permited sites in the proxy instead of basing the decision on categories, but your users might become too unhappy and rebel.